Seal a donor field. Keep the token, not the value.
Turn a sensitive value — an email, a phone number, a name — into an opaque
af_… token and a sealed AES-256-GCM envelope. Public apps and shared systems only ever
see the token. The real value stays sealed until someone with the organization's master key opens it.
Field-level encryption only. This seals individual values with AES-256-GCM — it is not a
whole-database guarantee and it is not described as unbreakable. Everything on this page runs in your
browser: nothing is uploaded, and the passphrase and values you enter never leave this page. Donor PII
never enters a shared datastore.
1
Seal a field
Choose the organization's master key and
the value you want to protect. Nothing here is sent anywhere — the token and envelope are computed in
this browser tab.
2
Open a field
Paste back a sealed envelope and the same
master key to recover the original value. The wrong key — or a tampered envelope — fails cleanly instead
of returning a wrong answer.
3
Bulk seal optional
Paste a list of values, one per line — each
is sealed with the same master key so you can hand a whole column of donor data over to a token list.